fix(macos): add inference.local to sandbox /etc/hosts for Ollama

[mihai-chiorean]

Summary

On macOS (Docker Desktop), the sandbox cannot resolve inference.local because there is no network namespace setup like on Linux. Ollama local inference fails silently.

Fix: After sandbox creation, on Darwin, exec into the sandbox and add inference.local pointing to the host gateway IP from /etc/resolv.conf to /etc/hosts. Applied to both:

• bin/lib/onboard.js (onboard wizard)
• scripts/setup.sh (legacy setup path)

Idempotent — skips if entry already exists.

Partially addresses #260 (Ollama DNS item)

Summary by CodeRabbit

• New Features

  • On macOS, setup now attempts to add an inference.local host entry inside the sandbox so local inference services resolve; failures to determine the host IP or patch hosts produce a non-fatal warning and setup continues.

• Chores

  • Temporary build context artifacts are removed immediately after sandbox startup to ensure consistent cleanup.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5cd6a8c7-3ee5-4c37-ac31-5c448750d271

📥 Commits

Reviewing files that changed from the base of the PR and between 6d3c20b and 5ed9e94.

📒 Files selected for processing (2)

• bin/lib/onboard.js
• scripts/setup.sh

✅ Files skipped from review due to trivial changes (1)

• scripts/setup.sh

---

📝 Walkthrough

Walkthrough

Adds a macOS-only post-setup step that connects to the OpenShell sandbox and ensures an inference.local entry exists in /etc/hosts. Also removes the temporary build context immediately after starting the dashboard port-forward, before sandbox registration completes.

Changes

Cohort / File(s)	Summary
macOS hosts patch bin/lib/onboard.js, scripts/setup.sh	Add Darwin-only logic that connects to the sandbox and conditionally appends an inference.local mapping to /etc/hosts using the sandbox's first nameserver IP; failures are suppressed/warned and non-fatal.
Build context cleanup bin/lib/onboard.js	Move/duplicate removal of the temporary build context (rm -rf "${buildCtx}") to run immediately after starting the dashboard port-forward, ensuring cleanup regardless of subsequent steps.

Sequence Diagram(s)

sequenceDiagram
  participant Host as Host (macOS)
  participant Onboard as Onboard (bin/lib/onboard.js)
  participant Setup as Setup script (scripts/setup.sh)
  participant OpenShell as OpenShell CLI
  participant Sandbox as Sandbox (/etc/hosts, /etc/resolv.conf)

  Host->>Onboard: start sandbox creation
  Onboard->>Onboard: start dashboard port-forward
  Onboard->>Onboard: rm -rf "${buildCtx}"
  Onboard->>OpenShell: openshell connect/forward (darwin only) via Setup
  OpenShell->>Sandbox: read /etc/resolv.conf (get first nameserver)
  OpenShell->>Sandbox: if missing, append "IP inference.local" to /etc/hosts
  Sandbox-->>OpenShell: success / already present / error (ignored)
  OpenShell-->>Onboard: return result (warn on failure)
  Onboard->>Host: continue sandbox registration/completion

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped into Darwin's shell tonight,
Poked resolv.conf by soft moonlight,
I wrote a line for inference.local,
Cleaned my crumbs — build ctx, no toll,
Sandbox and host now share the light. ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding inference.local DNS resolution to the sandbox /etc/hosts on macOS to support Ollama.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@bin/lib/onboard.js`:
- Around line 223-234: The macOS branch that runs when process.platform ===
"darwin" builds a command that blindly extracts an IP from /etc/resolv.conf and
appends it as "IP inference.local" to /etc/hosts, which can produce an invalid
hosts entry if no nameserver exists; update the logic around the run(...) call
that references sandboxName so it first validates the extracted IP (e.g., ensure
the grep/awk result matches an IPv4 pattern) and only appends the hosts line
when a valid IP is found, otherwise skip the append or use a safe fallback
(e.g., host.docker.internal) and log a warning; keep this check adjacent to the
existing run invocation so the command executed is conditional on the validated
IP.

In `@scripts/setup.sh`:
- Around line 202-208: The sandbox /etc/hosts append command can write a blank
IP if no nameserver is found; modify the sh -c script run by openshell sandbox
connect nemoclaw to capture the nameserver into a variable, test it is
non-empty, and only then echo "$IP inference.local" >> /etc/hosts (otherwise
skip or log a warning). Locate the one-liner passed to openshell (the grep
nameserver /etc/resolv.conf | head -1 | awk "{print \$2}" pipeline) and replace
it with a small shell snippet that sets IP=$(grep -m1 '^nameserver'
/etc/resolv.conf | awk '{print $2}'), checks [ -n "$IP" ], and appends only when
non-empty.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 687166ef-e5fe-4e45-babb-eb4e9ce6ab8d

📥 Commits

Reviewing files that changed from the base of the PR and between 0d1d2d8 and 123e420.

📒 Files selected for processing (2)

• bin/lib/onboard.js
• scripts/setup.sh

[coderabbitai]

🧹 Nitpick comments (1)

bin/lib/onboard.js (1)

530-531: Remove duplicate build-context cleanup.

buildCtx is already removed earlier, so this second cleanup is redundant in the success path.

Proposed simplification

-  // Clean up build context
-  run(`rm -rf "${buildCtx}"`, { ignoreError: true });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@bin/lib/onboard.js` around lines 530 - 531, The second cleanup call is
redundant—remove the duplicate run(`rm -rf "${buildCtx}"`, { ignoreError: true
}) so buildCtx is only removed once; locate the duplicate invocation of run that
references buildCtx in onboard.js (the cleanup near line ~530) and delete that
extra call, ensuring any remaining cleanup logic still runs in error/final
paths.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@bin/lib/onboard.js`:
- Around line 530-531: The second cleanup call is redundant—remove the duplicate
run(`rm -rf "${buildCtx}"`, { ignoreError: true }) so buildCtx is only removed
once; locate the duplicate invocation of run that references buildCtx in
onboard.js (the cleanup near line ~530) and delete that extra call, ensuring any
remaining cleanup logic still runs in error/final paths.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3a37e338-63f6-4cc4-b2b5-2d462917b479

📥 Commits

Reviewing files that changed from the base of the PR and between 9934718 and 4e6d61c.

📒 Files selected for processing (2)

• bin/lib/onboard.js
• scripts/setup.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• scripts/setup.sh

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@bin/lib/onboard.js`:
- Around line 1506-1507: The duplicate cleanup call is redundant: remove the
second invocation of run(`rm -rf "${buildCtx}"`, { ignoreError: true }) so the
build context is only removed once; locate the later occurrence of run(...) that
references buildCtx in onboard.js and delete that redundant call, leaving the
original cleanup (the earlier run(...) call around where buildCtx is first
removed) intact.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 23408131-90e3-4da8-b0e9-aa31efb0148d

📥 Commits

Reviewing files that changed from the base of the PR and between 4e6d61c and 6d3c20b.

📒 Files selected for processing (2)

• bin/lib/onboard.js
• scripts/setup.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• scripts/setup.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Remove duplicate build context cleanup.

The build context is already removed at line 1454 (run(\rm -rf "${buildCtx}"`, { ignoreError: true });`). This second cleanup is redundant—the directory no longer exists by this point.

🧹 Proposed fix

   runOpenshell(["forward", "start", "--background", "18789", sandboxName], { ignoreError: true });

-  // Clean up build context
-  run(`rm -rf "${buildCtx}"`, { ignoreError: true });
-
   // macOS: add inference.local to sandbox /etc/hosts so Ollama DNS resolves.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// Clean up build context
	run(`rm -rf "${buildCtx}"`, { ignoreError: true });
	runOpenshell(["forward", "start", "--background", "18789", sandboxName], { ignoreError: true });
	// macOS: add inference.local to sandbox /etc/hosts so Ollama DNS resolves.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@bin/lib/onboard.js` around lines 1506 - 1507, The duplicate cleanup call is
redundant: remove the second invocation of run(`rm -rf "${buildCtx}"`, {
ignoreError: true }) so the build context is only removed once; locate the later
occurrence of run(...) that references buildCtx in onboard.js and delete that
redundant call, leaving the original cleanup (the earlier run(...) call around
where buildCtx is first removed) intact.

[mihai-chiorean]

Closing — this fix was already merged upstream in 123e420 (#436). No longer needed.